Managing Employee Data

Handling Employees’ Accounts, Data and Access in Special Situations

Can I restrict my employees' personal use of their computers while at work?

IU policy allows employees some incidental personal use in the course of their work duties. However, that personal use must be appropriate; it must not violate the law, interfere with the employee's work responsibilities, or conflict with the university's mission of providing education through teaching, research, and public service. Additionally, employees may not use university resources for commercial or private gain, or for activities that are inconsistent with the university's tax-exempt status (such as political campaigning).

Supervisors are authorized to require employees to cease or limit any incidental personal use that interferes with job performance or violates university policy. If you feel that your employees may be neglecting work due to incidental personal use, you can address their behavior using progressive discipline, but be sure to consult with your departmental human resources person, the central human resources office, or the employee relations office. Be careful to address the job duties being neglected, not the personal use.

If you are unsure of the relationship of the incidental personal use to the university's mission, you can contact the University Information Policy Office (UIPO) or your regional campus Chief Information Officer (CIO) to help you determine whether the use is appropriate.

Investigations of Misconduct

An employee's access to computers or accounts may be disabled or limited while an investigation is being conducted into alleged misconduct, even if the person is still employed by IU.
Reasons for restricting employees' use of computers or accounts while at work include, but aren't limited to, the following:

Concern for safety of departmental or other systems and data

Reasonable belief that the employee is involved in illegal activities

Reasonable belief that the employee has violated university policy

If you feel that an active employee's use of computers or accounts needs to be disabled or restricted, be sure to consult with your departmental human resources person, the central human resources office, or the employee relations office BEFORE taking any action.

Tips

To avoid the problem altogether, your department can publish a local policy that defines the acceptable level and nature of incidental personal use. When writing departmental policies, be careful to avoid targeting individuals.

More Information

This information is based on the university's IT policy IT-01 and IT policy IT-03.

In order to promote free discourse and maintain the environment appropriate to a learning institution, and because the university does allow incidental personal use, university policies protect the right to privacy of computer data whenever possible. There are however, times when a legitimate need arises for which you as a supervisor require access to an employee's computer data:

If you need access to proceed with work and the employee is unavailable to access the data for you, obtain written (email or paper) permission from the employee granting access to the content.

If the employee can't grant permission (e.g., has been terminated, is deceased or incapacitated), get written permission from your department's senior executive officer.

If you think the employee is engaged in illegal activities using university accounts or resources, or if you believe the individual is violating university policy, get written authorization from the appropriate campus chancellor.

In an emergency situation where you believe processes active in an employee's account or on an employee's device can or is causing system degradation or damage to other data, a technician or administrator can permit immediate access.

If the employee is involved in fiscal misconduct, you will need a directive from the Director of Internal Audit.

For other legal matters, you may need a court order or other legal documents and further direction from University Counsel.

Unless it's inappropriate or impossible, you should notify the employee before you access the data. Otherwise, you should notify the employee as soon as possible after the access.
Without specific authorization, you may use system-generated, content-neutral information (i.e., system logs, login records, connection logs, network activity logs, email logs, and auditing logs) to:

Monitor system and storage usage

Troubleshoot

Secure departmental systems

Investigate technology abuse or misuse

Support formal audits

When you contact a technician for access to an employee's data, that technician is required, where possible, to consult with the appropriate campus Chief Information Officer (CIO), who ensures that the appropriate authorization or permission has been granted. In doing so, the campus CIO is encouraged to consult with a university Information Technology Policy Officer, who can provide advice and policy interpretation to not only the CIOs, but also to you directly.

Tips

To ensure uninterrupted access to office communications, consider creating a departmental email account, which you can then publish as your contact point instead of publishing an individual's email account. Departmental account access can be assigned to different individuals depending on who is working at the time. Information about getting departmental accounts is available here.

To ensure uninterrupted access to shared data, you can name folders something generic, e.g., "Project X". Folders that are named with an employee's username or name are considered assigned to that user and require the authorization provisions above.

You are legally required to report security breaches and notify the individuals involved, if the security breach disclosed or exposed a Social Security number (SSN), or any of the following in combination with a first name/initial and a last name:

Credit card, debit card, or any other financial account numbers

Access or security codes, or any passwords

Driver’s license or state identification card numbers

You can find detailed steps for reporting a suspected breach on the UIPO security incident response pages. Notification to affected individuals usually comes from the unit associated with the breach, but be sure to coordinate with the IIA incident response team. They will make sure the appropriate forensic steps have taken place and appropriate notification procedure is followed.

What should I do if I suspect an employee is misusing or abusing information or information technology at IU?

If you suspect that an employee may be misusing or abusing information or information technology at IU, first try to identify specifically what policy or law may have been violated. If you need assistance finding or interpreting applicable policies or laws, you can consult with any of the following:

Your departmental, campus, or University Human Resources office (if the employee in question is a staff member)

Your departmental, campus, or University Dean of Faculties Office (if the employee in question is a faculty member)

The University Information Policy Office

University Counsel (812-855-9739 for all campuses other than IUPUI; 317-274-7460 for IUPUI)

Once you have identified the applicable policy or law, you can address the behavior using progressive discipline, but be sure to consult with your departmental human resources person, the central human resources office, or the employee relations office before taking any action.

If you need to gather technical evidence or need a technical investigation or forensics expert, please contact the UIPO Incident Response team. Usually, results from the technical investigation or forensics study will be provided to the central administrative office for the category of employee (UHRS Employee Relations for staff, and Dean of Faculties for faculty), rather than the supervisor. That administrative office will coordinate next steps.

If you wish to remain anonymous while reporting a suspected abuse or misuse of information or information technology, Indiana University has a Whistleblower policy which protects your identity.

To use IU's anonymous reporting hotline

Handling Employee Account, Data and Access When They Terminate

There are several Computer related tasks that need to be completed when an Employee leaves the university or changes departments. Some of these tasks may need to happen immediately upon notice, some items need to occur before the individual leaves and other items occur on the last day. In the following sections we’ll provide guidance on how and when to take action on an Employee’s account, data and access.

Things to do as soon as the Employee gives Notice

As soon as an employee gives notice they will be leaving the institution or changing departments, the following tasks should be initiated:

Collect written resignation letter from the departing employee

Have the departing employee enable his or her out-of-office auto-reply with relevant information aboutthe departure date and the new contact information. This will not limit the departing employee's ability to receive/send mail, but will begin to let others know of the upcoming transition

NOTE: If the departing employee is also a student, this may not be feasible, or, the content of the auto-reply may need to be worded to address only the work-related emails.

Have the employee gather his or her list of external contacts, and begin emailing each of them to inform them of the transition. The email message should provide the name/email of the new contact or temporary contact until a new employee is hired

Update the contact information on your department's public Web site to reflect the new contact or temporary contact until a new employee is hired

Ask departing employee to begin moving all critical office documents from his or her personal folders to shared departmental locations. This includes all IU locations, both electronic (email, departmental file server, OnCourse sites, etc.) and paper. This ALSO includes all personal locations, both electronic (home computer, personal laptop, cell phone/PDA, etc.) and paper (home office, briefcase, etc.)

Ask departing employee to begin removing all personal files and belongings from all IU locations, both electronic and paper

Things to do Before an Employee Leaves

While employees transfer to other departments or leave the university outright, the business of your department and the university must progress. If you have a single employee serving as the point of contact for one or multiple departments, without proper preparation, transitioning to new staff can be difficult. Here are some things to consider doing to make staff transitions easier before you have a problem:

Use a departmental group account for email

To ensure uninterrupted access to office communications, consider creating a departmental email account, which you can then publish as your contact point instead of publishing an individual's email account. Departmental account access can be assigned to different individuals depending on who is working at the time.

Use a searchable public web site

Ensure that your unit has a public Web site that is easily searchable by your department's name and appears near the top of the results list in common search engines such as Google.

Be sure to keep an updated list of contact information (including telephone, email, postal mail address, and fax) on your public web site.

Utilize shared files and use generic names

To ensure uninterrupted access to shared data, you can name folders something generic, e.g., "Project X". Folders that are named with an employee's username or name are considered assigned to that user and require the authorization provisions above.

Ensure departing employee has moved all critical office documents from his or her personal folders to shared departmental locations. This includes all IU locations, both electronic (email, departmental file server, etc.) and paper. This ALSO includes all personal locations, both electronic (home computer, personal laptop, cell phone/PDA, etc.) and paper (home office, briefcase, etc.)

Ensure departing employee has removed all personal files and belongings from all IU locations, both electronic and paper

Determine and implement email transition plan:

Departing employee manually forwards work emails to the department until the account is disabled (seven days after termination date), or

Set the auto forward to send all of the departing employee's emails to the department until the account is disabled. NOTE: If the departing employee expects to work in another department at IU or become an IU student, this option is not appropriate, because the email account will begin to be used for the departing employee's new role

Determine and implement telephone transition plan:

Change greeting message

Forward telephone calls to another employee in the department

Cancel departing employee's long distance authorization number.

Request disabling of all non-centrally maintained accounts. This could include departmental servers and services, special research services, external services, and some institutional data systems such as HRMS and SIS.

Collect university-issued items, if they were issued to departing employee:

Inform departing employee that accounts are disabled seven days after separation from the university, however, some access to self-service information in OneStart remains available.

Pay advices and tax forms remain available via the Employee Center until October of the year following termination from the university.

Health and dental benefits are discontinued immediately following separation from the university.

Remind departing employee to visit the Benefits Office, if needed.

Things to do After the Employee’s Last Day

When the HRMS e-Doc processing the separation of the employee from IU is completed, on the date indicated as the separation date, the departing employee will receive a courtesy email message indicating that accounts will be disabled in seven (7) days.

All centrally-maintained accounts and their contents are then deleted permanently 180 days later.

However, if the employee is also an active student, centrally-maintained accounts will remain active due to the individual's student status. Departmentally-maintained accounts may have different policies.

More Information about the eligibility to use information technology resources at IU can be found on IU policy IT-03.

Other Frequently Asked Questions

Can I immediately disable a terminated employee's accounts?

Upon terminating an employee, you can have the employee's accounts immediately disabled with a written request to the managers of those accounts. Reasons for immediate disabling include, but aren't limited to, the following:

Concern for safety of departmental or other systems and data

Reasonable belief that the terminated employee is involved in illegal activities

Reasonable belief that the employee has violated university policy

Written requests to immediately disable accounts managed by UITS are directed to valid@indiana.edu.

Before requesting removal of access for staff or faculty who are also students, the department should also consult with the appropriate Dean of Students or equivalent. Don't forget to also notify local department account managers, and account managers for institutional data systems such as HRMS, SIS, FIS, and IUIE.

If the employee is being terminated for cause, you may wish to schedule the disable to occur during the termination meeting with the employee so that accounts are disabled by the time the meeting is over. To arrange for this situation with UITS Accounts Administration, call 812-855-2843 or 317-278-3305.

Don't forget to also notify local department account managers. The disable of the UITS netid will also make access to institutional data immediately disabled, but, you will need to follow up with those institutional data systems after the meeting to complete the disable process for those systems.

Under normal circumstances, employee accounts are disabled seven days after official university records (e.g., campus HR data) indicate that the employee has resigned or been terminated. For 180 days after disabling, files associated with the accounts exist, in the event someone would need to recover content.

How can I ensure departing hourly employees no longer have access to departmental resources?

Upon the resignation or termination of hourly positions, you must complete the paperwork that terminates the employment. Otherwise, ex-employees will continue to have access to university and departmental resources (e.g., email, departmental or university computing accounts). If you need help, contact your departmental or campus Human Resources office.

Under normal circumstances, employees’ accounts are disabled once official records (e.g., campus HR data) indicate that employment has been terminated, which is dependent upon a supervisor completing and submitting the termination paperwork.

For a short time after disabling, files associated with the account will remain available to recover content when necessary.

Also, remember that since some employees may also be active students, centrally-maintained accounts can remain active due to the individual's student status. In such cases it is especially important to notify local department account managers, and account managers for institutional data systems (such as HRMS, SIS, FIS, and IUIE) of the individual's change in employment status.

For university policy regarding eligibility to use technology resources, see the university's IT policy IT-03. Feel free to contact the UIPO if you would like more information.

Is there someone I can speak with regarding information policy, privacy or security?

If you have additional questions, feel free to contact our offices with any questions you may have.

The easiest way to contact us is via email. You may reach the Information Policy Office at uipo@iu.edu. The Information Security Office may be reached at uiso@iu.edu.